Changing master key (Kerberos authentication server+LDAP database)
Anubha Gupta
anuafs84 at gmail.com
Wed Jul 27 14:23:26 EDT 2011
Thank for the reply, Simo. But I don't see any stash file on my system. I'm
using AIX Network Authentication Sevice (NAS, which is mapped to MIT
Kerberos 1.6.3) as the authentication server and IBM DB2 LDAP as the
database server. I need to re-encrypt the database with a new master key,
but I can't see a stash file on my system. I'm assuming the master key is
stored on LDAP, not sure though. Any suggestions?
Thanks,
Anubha
On Wed, Jul 27, 2011 at 7:06 PM, Simo Sorce <simo at redhat.com> wrote:
> On Wed, 2011-07-27 at 05:28 -0700, Anubha Gupta wrote:
> > Is it possible to change the master key of a realm when LDAP is used
> > as the database server? The stash file is not present since LDAP is
> > used. Appreciate any help on this.
>
> The standard kldap driver still uses the stash file to hold the master
> key as far as I know.
>
> you can use kdb5_dump to dump and change the passwords and load them
> back with older releases. In 1.9 it should be possible to change keys
> while keeping the database online by storing both the old and the new
> master key in the new keytab format stash file.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
More information about the Kerberos
mailing list